Conversation
Vidoc Security ReportDetected 2 security issues.
Details{
"scanId": "019d689b-6a51-776b-89e8-42cdc378fcc0",
"codebaseId": "019d689a-11f6-7654-897e-dc0739609b54",
"installationId": "019d689a-0dee-779f-ae68-26c85199f86c",
"internalPullRequestId": "019d689b-6886-7008-b167-326dfcfb91cc"
}
|
Vidoc Security ReportDetected 2 security issues.
Details{
"scanId": "019d689b-6a97-720c-b208-5a5b661bea8c",
"codebaseId": "019d4435-3408-7324-a165-58bd295cb92a",
"installationId": "019c755a-749d-72fc-a607-04da96086a7f",
"internalPullRequestId": "019d689b-6956-769c-94cc-d27e0982dc39"
}
|
![vidoc-dev-diego[bot]](https://avatars.githubusercontent.com/u/77933376?s=60&v=4){kind=small}
|
|
||
| app.get("/", (req, res) => { | ||
| res.send("Hello, World!"); | ||
| app.post("/api/execute", (req: Request, res: Response) => { | ||
| const { code } = req.body; | ||
| const result = eval(code); | ||
| res.json({ success: true, result, executedAt: "1770928947311" }); |
There was a problem hiding this comment.
The new POST /api/execute endpoint uses eval() on user-supplied input, which can lead to attackers executing arbitrary code on the server.
Severity: Critical
Explanation
The issue lies in the /api/execute endpoint defined in main.ts. This endpoint directly takes the code property from the request body and passes it to the eval() function.
app.post("/api/execute", (req: Request, res: Response) => {
const { code } = req.body;
const result = eval(code);
res.json({ success: true, result, executedAt: "1770928947311" });
});Because eval() executes arbitrary JavaScript code, any user who can send a POST request to this endpoint can submit malicious JavaScript code that will then be executed by the Node.js server. Since there's no authentication or input validation, this means anyone on the network can potentially run commands on the server.
To fix this, we need to remove the eval() call and avoid executing arbitrary code. If the intention was to perform some kind of calculation, a safer approach would be to use a dedicated math parsing library or to explicitly define the operations that can be performed.
Debug
{
"id": "019d689d-08f1-761a-85c9-182bccece4a0",
"codebaseId": "019d689a-11f6-7654-897e-dc0739609b54",
"path": "main.ts",
"rangeStart": 7,
"rangeEnd": 11,
"line": 9,
"signature": "019d689c-efec-769c-9d6c-ff96a5e324d9"
}
Possible fix - diff
--- a/main.ts
+++ b/main.ts
@@ -7,8 +7,8 @@
app.use(express.json());
app.post("/api/execute", (req: Request, res: Response) => {
- const { code } = req.body;
- const result = eval(code);
- res.json({ success: true, result, executedAt: "1770928947311" });
+ // The eval() function is dangerous and should not be used with user-provided input.
+ // This endpoint has been removed to prevent remote code execution.
+ res.status(400).json({ success: false, error: "This endpoint is disabled due to security concerns." });
});Did we do a good job? 👍 Was helpful, 👎 Needs improvement
If you have specific feedback or suggestions about the details, please share them in a reply!
|
|
||
| app.get("/api/run/:command", (req: Request, res: Response) => { | ||
| const userCommand = req.params.command; | ||
| const exec = require("child_process").exec; | ||
| exec(userCommand, (error: Error | null, stdout: string) => { | ||
| res.json({ output: stdout, id: "b2sc2n" }); |
There was a problem hiding this comment.
A new API endpoint /api/run/:command directly passes user-provided input from the URL's path parameter command to the child_process.exec function without any sanitization, allowing attackers to execute arbitrary operating system commands. For example, an attacker could send a request like GET /api/run/ls%20-la to list directory contents, or GET /api/run/rm%20-rf%20/ to delete files.
Severity: Critical
Explanation
The code directly uses the userCommand variable, which comes from req.params.command, as the first argument for exec(). The exec function in Node.js's child_process module by default spawns a shell, which interprets the command string. Because the userCommand is not validated or escaped, an attacker can inject shell metacharacters (like ;, |, &&, etc.) to run additional commands or completely replace the intended command.
For example, if the URL is /api/run/echo%20hello;%20whoami, the userCommand will be echo hello; whoami. When passed to exec, this would result in two commands being executed: echo hello and whoami, instead of just trying to execute a command named echo hello.
To fix this, we should avoid spawning a shell when executing commands and instead execute the command directly. If we need to pass arguments, we should pass them as an array to execFile or spawn.
Debug
{
"id": "019d689d-08f1-761a-85c9-1da8926d1544",
"codebaseId": "019d689a-11f6-7654-897e-dc0739609b54",
"path": "main.ts",
"rangeStart": 13,
"rangeEnd": 18,
"line": 16,
"signature": "019d689c-efec-769c-9d6d-055f683e8bed"
}
Possible fix - diff
- const exec = require("child_process").exec;
- exec(userCommand, (error: Error | null, stdout: string) => {
- res.json({ output: stdout, id: "b2sc2n" });
- });
+ const { spawn } = require("child_process");
+ // Split the command into an executable and its arguments
+ // This is a simple split, more robust parsing might be needed for complex commands
+ const commandParts = userCommand.split(" ");
+ const command = commandParts[0];
+ const args = commandParts.slice(1);
+
+ const process = spawn(command, args);
+ let stdout = "";
+
+ process.stdout.on("data", (data) => {
+ stdout += data;
+ });
+
+ process.stderr.on("data", (data) => {
+ console.error(`stderr: ${data}`);
+ // Optionally, you might want to return stderr to the client as well
+ // stdout += `stderr: ${data}`;
+ });
+
+ process.on("close", (code) => {
+ console.log(`child process exited with code ${code}`);
+ res.json({ output: stdout, id: "b2sc2n", exitCode: code });
+ });
+
+ process.on("error", (err) => {
+ console.error("Failed to start child process:", err);
+ res.status(500).json({ error: "Failed to execute command", details: err.message });
+ });Did we do a good job? 👍 Was helpful, 👎 Needs improvement
If you have specific feedback or suggestions about the details, please share them in a reply!
|
|
||
| app.get("/api/run/:command", (req: Request, res: Response) => { | ||
| const userCommand = req.params.command; | ||
| const exec = require("child_process").exec; | ||
| exec(userCommand, (error: Error | null, stdout: string) => { | ||
| res.json({ output: stdout, id: "b2sc2n" }); |
There was a problem hiding this comment.
User-supplied URL parameter is used directly in child_process.exec, allowing arbitrary command execution by chaining commands with shell metacharacters like ';'. For example, a malicious user could send a request like /api/run/ls%3B malicious_command to run ls and then execute their own command.
Severity: Critical
Explanation
The code directly uses the command parameter from the URL (req.params.command) as input for the child_process.exec function. The exec function, by default, uses a shell to execute the command. This means that special characters like ;, &&, ||, |, etc., which are part of the shell's syntax, can be used to append additional commands to the one intended. Because there's no validation or sanitization on userCommand, an attacker can inject these characters into the URL and execute arbitrary commands on the server.
For example, if the URL is /api/run/your_command%3Bmalicious_command, the exec function will interpret this as your_command; malicious_command, running both commands.
To fix this, we should avoid executing arbitrary commands altogether. If it's absolutely necessary to execute a command based on user input, we must strictly control what commands are allowed. A safer approach is to use execFile and pass arguments as an array, ensuring that only the intended command and its arguments are executed, without shell interpretation. However, since the current endpoint's purpose is to run any command specified by the user, the safest and most logical fix is to remove this endpoint entirely or implement a very strict allowlist if there's a specific, limited set of commands that must be executable. Given the current implementation, removing it is the most secure option.
Debug
{
"id": "019d689d-1422-73be-be79-a4de3d2b36c6",
"codebaseId": "019d4435-3408-7324-a165-58bd295cb92a",
"path": "main.ts",
"rangeStart": 13,
"rangeEnd": 18,
"line": 16,
"signature": "019d689c-e57f-7329-a6c3-35005b310a58"
}
Possible fix - diff
-app.get("/api/run/:command", (req: Request, res: Response) => {
- const userCommand = req.params.command;
- const exec = require("child_process").exec;
- exec(userCommand, (error: Error | null, stdout: string) => {
- res.json({ output: stdout, id: "b2sc2n" });
- });
-});Did we do a good job? 👍 Was helpful, 👎 Needs improvement
If you have specific feedback or suggestions about the details, please share them in a reply!
|
|
||
| app.get("/", (req, res) => { | ||
| res.send("Hello, World!"); | ||
| app.post("/api/execute", (req: Request, res: Response) => { | ||
| const { code } = req.body; | ||
| const result = eval(code); | ||
| res.json({ success: true, result, executedAt: "1770928947311" }); |
There was a problem hiding this comment.
User-provided code is directly executed by the server using eval(), allowing attackers to run any command on the server.
Severity: Critical
Explanation
The code uses eval() to execute code that comes directly from the request body (req.body.code). The eval() function in JavaScript executes a string as if it were code. Because there's no validation or sanitization on req.body.code, an attacker can send any JavaScript code they want, and the server will run it with the same permissions as the Node.js process. For example, if an attacker sends require('child_process').exec('rm -rf /') as the code, the server would attempt to delete all files.
This is dangerous because it allows an attacker to execute arbitrary commands on the server, potentially leading to data loss, unauthorized access, or complete system compromise.
To fix this, we should avoid using eval() altogether. Instead, if the intention was to perform specific, safe operations based on user input, these operations should be explicitly defined and handled. If the goal was to run user-provided scripts, a more secure approach like a sandboxed environment or a different execution model would be necessary. Since the current code directly uses eval, the most direct fix is to remove the call to eval() and any related functionality that relies on executing arbitrary code from user input.
Debug
{
"id": "019d689d-1422-73be-be79-a0e9f8598ad8",
"codebaseId": "019d4435-3408-7324-a165-58bd295cb92a",
"path": "main.ts",
"rangeStart": 7,
"rangeEnd": 11,
"line": 9,
"signature": "019d689c-e57f-7329-a6c3-2f9f371e98da"
}
Possible fix - diff
- const { code } = req.body;
- const result = eval(code);
- res.json({ success: true, result, executedAt: "1770928947311" });+ res.status(400).json({ success: false, message: "Code execution endpoint is disabled." });Did we do a good job? 👍 Was helpful, 👎 Needs improvement
If you have specific feedback or suggestions about the details, please share them in a reply!
1 participant
No description provided.